-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Select module type by mime-type #2005
Comments
Yes, that is how systemjs@0.21 worked. Here are the downsides that I am aware of:
Would be happy to learn more about this - my comment isn't comprehensive. |
One of the primary features of SystemJS is being CSP compatible. |
Script tags require the 'unsafe-inline' script-src policy, don't they? |
How using script makes it csp compatible while eval would not? |
For example, here is GitHub's policy:
which would support SystemJS but not eval. |
Ideally we could apply a Alternatively a separate mode / extra would be the way to go for this, and would be straightforward too. Say a small I'd be glad to support these paths further, and other suggestions welcome too. |
We're migrating a large codebase from HTML Imports to es modules, and use a server-side transform to es module / systemjs. So we're serving .html files with mimetype text/javascript which we need running as javascript. If I'm not mistaken, |
@LarsDenBakker so you mean we could fetch the module for CSS / Wasm / HTML extensions, and if it i application/javascript "opt-out" and then do an eval specifically in those cases? Thus the CSP support is only lost for those specific files. That seems like a really nice compromise actually! |
Yes that's what I mean. The use case of transforming .js into something else is a lot less, I think. |
@justinfagnani would @LarsDenBakker's suggestion as above work for your use cases? |
Possibly. I would love to see it fixed fully generally though. Could you attach a script with a blob URL? const scriptEl = document.createElement('script');
const blob = new Blob(sourceText, {type: 'application/javascript'});
const objectURL = URL.createObjectURL(blob);
scriptEl.src = objectURL;
// ... |
@justinfagnani blob URLs will usually fail the script-src CSP directive, and rightly so as they are an execution injection. The only general solution I can see is if we could guarantee that the fetch cache and script cache were shared, so that we could still inject a script after checking the MIME from the fetch call. But I believe Chrome explicitly has separate caching between scripts and fetch. I'd be happy to include the compromise approach in v6 though, and it does sound like the best bet to me without new information here. |
I've gone ahead and implemented this approach in #2006. |
The eval fallback approach has been released in 6.0.0. |
Matching the spec here will help head off potential errors that could be caused by misconfigured servers or server-side transforms that expect spec compliance.
Consider a server-side transform that UA-sniffs to detect JSON module support, and if the browser doesn't support them transforms
foo.json
to a JS module. The transform cannot rename the file, but it can set the mime-type.I saw the explanation for selecting based on file-extension, but I wonder if inject script tags is really necessary. Could scripts not be executed by using fetch + a wrapped + eval? The wrapper can put the script in strict mode and ensure that top-level
this
is undefined, and even make top-level await work.The text was updated successfully, but these errors were encountered: